The accelerated digital transformation in response to COVID-19 has moved the world online. People are working remotely, doing medical appointments virtually, socializing and participating in community life online – and the list goes on. The adoption of innovative technology has bridged the gap and enabled many critical services to remain open; it has also generated an unprecedented amount of data, which is being collected and processed by organizations with disparate privacy policies, and as a result, consumers, rightfully, have heightened concerns.
Recently, I had the opportunity to participate in the Victoria Privacy & Security Conference along with more than 1,000 security and privacy professionals from around the world. This event brought thought leaders together at a unique moment in time – the pandemic has demonstrated the indispensable value of data while also revealing the need for a more robust and permanent governance framework that facilitates data sharing and establishes public trust in how data is collected and used. In their keynote address, Julie Brill, Chief Privacy Officer, Microsoft CVP, and Deputy General Counsel of Global Privacy and Regulatory Affairs, and Patricia Kosseim, Information and Privacy Commissioner of Ontario, explored this topic and shared their perspectives on how individuals view the protection of their personal information, how organizations set their strategic priorities and the development of regional privacy laws and its impact globally.
Privacy Learnings from COVID-19
As Kosseim poignantly stated, COVID-19 has created a single, unifying urgency that has brought together the international community, “It’s sparking collaborations across organizations, sectors and jurisdictions like never seen before to facilitate data sharing and deployment of new technologies to accelerate our understanding of how to prevent the spread of the virus and how to treat its debilitating impacts.”
Data was instrumental in solving many of the problems that have arisen from the crisis, from contact tracing, to treating patients, to vaccine development.
“As one of many examples in this space, Microsoft is involved in helping other companies develop exposure notification systems for cellphones. We felt it was important to articulate the principles around the use of that data,” said Brill. “We developed principles and we said that in the context of exposure notifications that very sensitive personal information should be collected with meaningful consent; it should only be used for public health purposes; it shouldn’t be shared without consent unless it’s being shared in the context of public health. These principles did help bolster the kind of trust that people need whenever their sensitive data is in use.”
Even though these digital solutions were being developed in a time of urgent need, preserving privacy is critical and these solutions still need to meet the high standards of transparency and accountability that we demanded before the pandemic. In addition to being transparent about the reason for collecting data, what data is collected and how long it is kept, we must ensure appropriate safeguards are in place to secure the data. This includes de-identification, encryption, rotating and random identifiers, decentralized identities or similar measures to protect people’s data from harmful exposure and hacking attempts.
The Prospects for Privacy Laws
As Brill highlighted, the COVID-19 crisis required data to be unlocked in a responsible way, however, without a base-line privacy legislation, many companies did not know how to proceed because they didn’t understand the guardrails around responsible data use and protection.
“What we have yet to develop are appropriate governance frameworks to oversee the timely and flexible data sharing arrangements with the private sector – particularly for public good or data-for-good initiatives,” said Kosseim. “These frameworks have to be more open to public scrutiny than they traditionally have been in the past and they have to ensure responsible treatment of data in accordance not only with privacy standards, but with broader societal concepts: fairness, accountability, transparency.”
Policy legislation is one side of the coin, the other is public acceptance. Building trust with citizens will be equally important and it starts with ensuring AI systems are developed responsibly and in ways that warrant people’s trust. At Microsoft, we’ve established the Office of Responsible AI, which sets company-wide rules for AI through the implementation of our governance and public policy work. As part of this, our senior leadership rely on the Aether Committee, and the local Responsible AI team I lead, to make recommendations on responsible AI issues, technologies, processes and best practices. The Aether committee’s working groups also undertake research and development and provide advice on rising questions, challenges and opportunities. And this informs our work with customers; we provide resources for them to establish principles and a governance model that ensures they are building trust and collecting, storing and using data in a responsible way.
We are facing an exciting time for privacy reform in Canada. According to Brill, over the next 5 years, we can expect an evolving regulatory landscape that will involve more privacy laws and more in-depth laws that will be updated to meet the current environment. In Ontario, Kosseim’s team will be focused on a set of strategic priorities that may include digital service delivery, transparency and open government, responsible use of data for good, access privacy and youth, next generation law enforcement and trust in virtual health.
“In five years, my hope is that we’ll be sitting here discussing what we managed to accomplish in the strategic areas we will have selected,” said Kosseim. “The Holy grail is if we can bring about the cultural change needed to build a sustainable trust and confidence in using and sharing data, in ways that can really help advance society’s broader objectives – economic, health, social, etc.”
For more information on how Microsoft’s cloud services comply with Canadian policy, regulatory and legislative requirements, visit Compliance Resources for Canada. And, visit CISO Central for workshops, training and information on Zero Trust security and compliance.
Interested in continuing the conversation? Mark your calendar and join me at Assure 2021, Microsoft Canada’s premier thought leadership event for privacy, risk, compliance, and legal leaders and professionals, on April 27, 2021.